Sheriff's Office told state it was protecting driving database

Whenever Clayton Thomas was intrigued by a woman, he wanted to know more about her. And he knew how to find out.

By Bill ThompsonStaff Writer

Whenever Clayton Thomas was intrigued by a woman, he wanted to know more about her. And he knew how to find out.

Whether the former Marion County deputy encountered women in the course of his duties, passed them while driving down the street, noticed them in the parking lot of his apartment complex, or read their names in the newspaper, Thomas fed his curiosity by tapping into their driving records, public documents say.

Officials believe no harm was intended, or that he wanted to use the information for ill purposes.

Still, Thomas, like all other law enforcement officers in Florida, was prohibited from using the state's database of licensed drivers as a "personal search engine," as his habit was characterized in a recent lawsuit brought by an Ocala woman, Kellean Truesdell, who sued over the records breach.

Truesdell sued Thomas as well as county and state officials who, she maintains in court records, failed to protect her sensitive data.

State records indicate that as Thomas was routinely and improperly perusing the personal information and photographs of thousands of Florida women, Sheriff's Office officials were telling the state they had erected appropriate barriers to prevent such snooping.

The most recent instance occurred July 3.

That was when Sheriff Chris Blair submitted the agency's yearly certification confirming that it was complying with the agreement that permits deputies and civilian staffers access to drivers' records.

Compliance partly involves having "adequate controls in place to protect the personal data from unauthorized access," according to the document Blair signed.

Just 12 days later, however, the Florida Department of Highway Safety and Motor Vehicles notified the Sheriff's Office that Thomas, a decorated former SWAT team member and bailiff supervisor, had looked up Attorney General Pam Bondi's driver's license photo on two occasions.

The state's question as to why he did so led to confirmation Thomas misused the system and to a revelation that he had improperly poked around in the records of more than 40,000 women in a three-year period and to his subsequent resignation, which ended a 26-year career.

It also prompted Truesdell to file a lawsuit last week over invasion of privacy and violation of civil rights under the federal Driver's Privacy Protection Act.

Sheriff's office spokesman Capt. Jimmy Pogue said the Sheriff's Office is not the agency responsible for auditing the usage of the database.

Rather, Pogue said in an email, that job belongs to the county's Public Safety Communications Center, whose staff are the liaisons for the Driver and Vehicle Information Database, or DAVID.

They conduct a quarterly, random audit of 10 percent of DAVID users. And, each time a user enters the system, he or she must agree to the terms of how the information is utilized before accessing it.

Pogue added that once the state informed the top brass about Thomas, "swift action" was taken to terminate him.

Ed Dean, Marion's former sheriff, declined to comment, saying he could not recall specifics about Thomas' activities during the time in question.

* * *

Such breaches apparently occur because the database housing the records of Florida's 15.4 million licensed drivers is governed largely by the honor system.

In 2008, the DHSMV began requiring law enforcement agencies across the state to sign a standardized seven-page agreement in order to access the system. To keep that access, the contract mandates that the individual agencies assure the state they will safeguard the drivers' personal data. They do that by regularly monitoring users and conducting quarterly "control reviews" of all authorized users.

The agencies also must perform annual audits of their DAVID requests to "ensure proper and authorized use and dissemination" of the information, the agreement says.

And they must submit to DHSMV an annual "affirmation statement" certifying they have met those requirements.

Further, if any employee no longer needs to utilize the system, they must tell the department within five days so access can be revoked.

"It's up to them to ensure they're using the system correctly," said Leslie Palmer, spokeswoman for the DHSMV.

Palmer explained that the state's approach was driven in part by logistics, given the number of law enforcement agencies and personnel that utilize the database, and because the state trusts those with access to it.

"These are the people who patrol our streets every day. They put their lives on the line. They have a public trust," she said. "And the vast majority of them are using it appropriately."

But neither the state nor the public knows that unless local law enforcement agencies report themselves. The contract does not require the agencies to provide the DHSMV with their quarterly reviews and yearly audits. The state, under the arrangement, only gets the annual affirmation statement.

Palmer acknowledged that the primary way for the state to uncover misuse is for the DHSMV to audit DAVID searches if either the agency or an individual driver suspects a problem exists.

* * *

Thomas' case illustrates how the self-monitoring process can break down. His searches came to light because of a media request made this past summer.

A reporter asked for a list of all the agencies that had searched Bondi's records since January 2010, going back before she was elected the state's top law enforcement official.

The Marion County Sheriff's Office emerged as one of them, since Thomas had searched for Bondi's license photo in August 2010 and again in January 2011.

On July 15, the DHSMV inquired as to whether Thomas was linked to an investigation involving Bondi. The answer was no. That same day, the Internal Affairs unit launched an investigation.

According to that report, Thomas was transferred from the patrol division to the jail in December 2008. In June 2011, he was transferred again. This time it was to the courthouse, where he served as a supervisor for bailiffs.

Internal Affairs Inspector Leo Smith found that between July 2010 and June 2013 Thomas had conducted 42,364 DAVID searches. Fewer than 20 of those involved men.

In an Aug. 27, 2013, letter to the DHSMV that followed Smith's investigation, Sheriff Blair wrote that he believed the actual number of individuals Thomas reviewed was "much less" than the total number of transactions because a search would have brought up many people who share the same name.

Smith discovered that Thomas based his searches on multiple sources of information.

Besides names he knew or read in the newspaper, he trolled through license plate numbers from cars in his apartment complex or that he drove by on the road and also tapped into Social Security numbers from records of jail inmates, the report said.

In one example, Smith noted that Thomas searched a name that returned 91 women from around the state, but only one in Ocala.

The Ocala resident was number 54 on the list and Thomas admitted that he looked at the photos and records of the first 53 until he got to the one who lived locally.

Smith interviewed two of Thomas' former commanders who supervised him while he worked at the courthouse. Both told the investigator that searching the database was not part of Thomas' regular duties, and neither was aware he had routinely done so.

"I can't justify those actions," one told Smith, according to the report.

Meanwhile, state records indicate that during the period Thomas was perusing the records, Sheriff's Office officials were confirming their safeguards were adequate.

Smith had actually uncovered an opportunity to expose Thomas some nine months before the state questioned his probes. In October 2012, while investigating the sex scandal that toppled former Undersheriff Dan Kuhn, Smith determined that Thomas was one of three Sheriff's Office employees who searched the database for Kuhn's mistress, Melissa Cook.

That information was included at the end of Smith's report on Kuhn to former Sheriff Dean, although the employees were not specifically named in the document that was made public.

Palmer, the DHSMV spokeswoman, said neither Dean nor his staff ever notified the agency about a possible breach by Thomas.

Last March, two months after Blair took office, Chief Deputy Fred LaTorre issued a staff memo saying the new administration was aware the database "may have been" misused in the past.

He urged the employees to adhere to the state's protocols for accessing it, and reminded them of the penalties for not abiding by them.

In his Aug. 27 letter, Blair referenced that memo and noted that Thomas had conducted "a handful" of DAVID searches after it was circulated.

Yet, according to Palmer, that letter was the first time the DHSMV learned about Thomas breaching the system.

* * *

This past January, the state decided to scrutinize usage of the database more closely.

That, Palmer said, came after the department realized "some misuse" had occurred.

The DHSMV subsequently instituted biennial on-site audits of individual agencies' DAVID records. It also required them to submit, in addition to the affirmation of the in-house audit, an "attestation" statement that further confirms the law enforcement agency has evaluated its system and has adequate controls to shield personal data.

"I wouldn't characterize it as being widespread misuse, but because we are the keepers of the records and because of the sensitive data, we believed we needed an additional layer" of protection, Palmer said.

The Sheriff's Office was reviewed June 4. After inspecting the agency's records, Christine Burnette, a senior liaison officer with the DHSMV, found that the agency's safeguards were sufficient.